←back to thread

DOMPurify, Security in the DOM, and Why We Really Need Both [pdf]

(www.usenix.org)
72 points _vvhw | 1 comments | 25 Sep 19 08:42 UTC | HN request time: 0s | source
Show context
floatboth ◴[25 Sep 19 13:13 UTC] No.21070425[source]
Wait, how exactly does iframe sandbox not solve everything? Emails definitely should be shown in them, even with client side decryption, you can create an iframe from a data: URI. iframe sandbox is the strongest sandbox possible. Unique origin, no JS execution…
replies(3): >>21070498 #>>21071390 #>>21073009 #
1. jcranmer ◴[25 Sep 19 14:59 UTC] No.21071390[source]
What you need is something like https://bugzilla.mozilla.org/show_bug.cgi?id=80713 that lets you make the <iframe> act more like an autosizing <div> than a fixed-size frame. https://github.com/w3c/csswg-drafts/issues/1771 is a suggestion for adding this sizing into CSS, but there's concern about the ability to leak information through the size of the container.